如何摆脱"hoe头"漏洞 [英] How to get rid of the ‘hoek’ vulnerabilities
问题描述
我最近将Angular CLI 5应用程序推送到了GitHub,它指示了以下内容:
I recently pushed an Angular CLI 5 application to GitHub and it indicated the following:
We found a potential security vulnerability in one of your dependencies.
A dependency defined in net-incident/package-lock.json has known security vulnerabilities and should be updated.
Dependencies defined in net-incident/package-lock.json 816
hapijs / hoek Known security vulnerability in 2.16.3
我已经查看了'npm audit'的输出并执行了各种更新,包括以下内容(不建议这样做):
I have gone through the output from ‘npm audit’ and executed the various updates, including the following (which was not suggested):
npm install --save-dev request@2.86.0
npm install --save-dev request@2.86.0
请求"包中包含鹰",其中包含"hoe".当我查看node_modules中的"request"包时,版本已更改.但是来自"npm审核"的以下两个更新似乎无能为力:
The ‘request’ package contains ‘hawk’ which contains ‘hoek’. When I look at the ‘request’ package in node_modules the version has changed. But the following two updates from ‘npm audit’ do not seem to do anything:
npm更新fsevents-深度4 npm更新stringstream-深度5
npm update fsevents --depth 4 npm update stringstream --depth 5
我剩下以下内容:
[!] 33 vulnerabilities found [12201 packages audited]
Severity: 5 Low | 24 Moderate | 4 High
Run `npm audit` for more detail
许多漏洞如下:
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of karma
Path karma > log4js > loggly > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
最后,该应用程序无法编译,因此我替换了包和锁定文件,现在回到了开头.我真的很想解决安全问题.如何摆脱讨厌的"hoek"漏洞?
In the end, the application would not compile, so I replaced the the package and lock files, and now I am back to the beginning. I really want to fix the security issues. How do I get rid of the pesky ‘hoek’ vulnerabilities?
推荐答案
我很耐心,他们解决了这个问题:
I was patient and they fixed the problem:
npm update karma@latest
应该工作.
这篇关于如何摆脱"hoe头"漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!